Cobalt, the pioneer of penetration testing as a service (PTaaS) and leader in offensive security services, today announced the release of its State of LLM Security Report 2025. This new research reveals a widening readiness gap in enterprise security as the rapid adoption of generative AI (genAI) outpaces defenders’ ability to secure it. A staggering 36% of security leaders and practitioners admit that genAI is moving faster than their teams can manage, a sobering reality as organizations continue to embed AI deep into core business operations.
Also Read: The Agentic AI Revolution: Top 5 Must-Have Agents for Telcos in 2025
Despite growing concern, many are calling for a timeout: 48% of respondents believe a “strategic pause” is needed to recalibrate defenses against genAI-driven threats. But that pause isn’t coming.
“Threat actors aren’t waiting around, and neither can security teams,” said Gunter Ollmann, CTO, Cobalt. “Our research shows that while genAI is reshaping how we work, it’s also rewriting the rules of risk. The foundations of security must evolve in parallel, or we risk building tomorrow’s innovation on today’s outdated safeguards.”
Key findings from the report include:
- 72% of respondents cite genAI-related attacks as their top IT risk, but 33% are still not conducting regular security assessments, including penetration testing, for their LLM deployments.
- 50% of respondents want more transparency from software suppliers about how they detect and prevent vulnerabilities, signaling a growing trust gap in the AI supply chain.
- Security leaders (C-suite and VP level) are more concerned about long-term genAI threats like adversarial attacks (76%) versus the 68% of practitioners which expressed the same concern. However when it came to near-term operational risks such as inaccurate outputs, 45% of practitioners expressed concern versus 36% of security leaders.
- Top concerns among all survey respondents include sensitive information disclosure (46%), model poisoning or theft (42%), and training data leakage (37%), all pointing to an urgent need to protect the integrity of data pipelines.
- Overall, 69% of serious findings across all pentest categories are resolved but this falls to just 21% of the high-severity vulnerabilities found in LLM pentests. This is a concern given that 32% of LLM pentest findings are serious and is the lowest resolution rate across all test types conducted by Cobalt.
“Much like the rush to cloud adoption, genAI has exposed a fundamental gap between innovation and security readiness,” Ollmann added. “Mature controls were not built for a world of LLMs. Security teams must shift from reactive audits to programmatic, proactive AI testing—and fast.”
Methodology
The report analyzes two different datasets. The majority of analysis is based on data collected during Cobalt pentests. This is supplemented by insights collected via a survey by a third-party research firm, Emerald Research. All penetration testing data analyzed in this report was collected through Cobalt pentests. This spans more than 2,700 organizations. Metadata from these pentests was exported from the Cobalt Offensive Security Platform, sanitized to remove client-identifying and other sensitive details, and provided to Cyentia Institute for independent analysis.
Also Read: Why Cybersecurity-as-a-Service is the Future for MSPs and SaaS Providers
[To share your insights with us as part of editorial or sponsored content, please write to psen@itechseries.com]
